Safety and Certification Approaches for Ethernet based Aviation Databuses FAA Software Conference...
-
Upload
melissa-stanbrough -
Category
Documents
-
view
224 -
download
0
Transcript of Safety and Certification Approaches for Ethernet based Aviation Databuses FAA Software Conference...
Safety and Certification Approaches for Ethernet based Aviation Databuses
FAA Software Conference – July 2005
Yang-Hang Lee, Arizona State University
Philip A. Scandura, Jr., and Elliott Rachlin , Honeywell
FAA/NASA Conference – July 2005 Page 2
Project Information
FAA-Sponsored Research
Project# FAA SDSS BAA – TCBAA-01-0001 “Safety and Certification Approaches for Ethernet-based Aviation Databuses”
Joint effort between Arizona State University and Honeywell
Started Oct. 2001 and completed in Dec. 2004.
Operates under the auspices of the FAA Software and Digital Systems Safety (SDSS) office
Oversight provided by Charles Kilgore, FAA Program Manager AAR-421, Flight Safety Research (Atlantic City, NJ)
FAA/NASA Conference – July 2005 Page 3
Agenda
Ethernet Aviation Databus Project Overview
FAA Databus Evaluation Criteria CAST-16 Position Paper Overview Applying Generic Criteria Applying Project-Specific Criteria
Handbook for Ethernet-based Aviation Databuses: Certification and Design Considerations
Summary and Conclusions
Contact Information
FAA/NASA Conference – July 2005 Page 4
Ethernet Aviation Databus Project Overview
FAA/NASA Conference – July 2005 Page 5
Project Summary
Objective Comprehensive investigation of safety and certification issues of
Ethernet based aviation databuses Goals
understand any potential safety issues provide guidance for network structure and operations
Approaches examine operations at various software layers and Ethernet network
components workload generation and test strategy acceptance criteria
This research aims to find ways to make Ethernet acceptable as an aircraft databus !
FAA/NASA Conference – July 2005 Page 6
Avionics Databus Technology
ETHERNET for aircraft databus !? Pros: Bandwidth, Full-Duplex, Flexibility – lowers wire counts,
and Economical - COTS ! Cons: Non-deterministic, and Sensitive to Electro-Magnetic
Interference at High speeds (100Mbps)
Ethernet must be made suitable for deterministic data transfer before it can be considered as an aviation databus ! Guaranteed delivery Bounded Delays Reliability and fault Tolerance
FAA/NASA Conference – July 2005 Page 7
Ethernet Aviation Databus - Schematic
This is how avionic instruments in a next generation aircraft could be wired !
In Airbus 380 and Boeing 787, Ethernet will be used not only for non-critical operations such as entertainment but also for critical systems such as the flight control systems.
A schematic of the Airbus A320
FAA/NASA Conference – July 2005 Page 8
Ethernet System and CSMA/CD
The standard bus based configuration of Ethernet
Ethernet Bus
Endsystem A Endsystem B
A wants to send data to B
B wants to send data to A
Both A and B sense the carrier (Ethernet bus) to see if it is idle and is ready for data transmission, else if they detect a collision then both back off for a random amount of time before retrying (CSMA/CD)
FAA/NASA Conference – July 2005 Page 9
Switched Ethernet
Switched Ethernet configuration no collision on Ethernet bus switch: routing at level -2 or –3 and packet buffer
Endsystem BEndsystem A
Endsystem C
Access SwitchAccess Switch
Backbone Switch
FAA/NASA Conference – July 2005 Page 10
Full Duplex Fully Switched Ethernet
Every end-system is connected to a switch, and separate conductors for transmission and reception.
Switches are connected to each other through a backbone switch
There can be no collisions in the system and hence CSMA/CD is turned off. However, non-determinism due to traffic characteristics and system design Bursty traffic leads to congestion, packet loss and unbounded delays Improper end-system and switch communication architecture can lead
to buffer overflows which in turn leads to packet loss Lack of specific policies for real-time traffic can lead to degraded
service for high priority data leading to missed deadlines Non-determinism due to the above factors can be overcome
a proper design of the network communication components an analysis of the traffic loads in the system.
FAA/NASA Conference – July 2005 Page 11
Determinism in Ethernet Databus
Traffic characteristics bursty (worst case) and average traffic (data rate, packet size,
unicast or multicast) source and destination applications
Quality of service requirements delay and jitter packet loss and system failure rates
System architecture network configuration traffic management, routing, and packet scheduling
Analysis and verification model and analysis testing
FAA/NASA Conference – July 2005 Page 12
Ethernet Aviation Databus – Communication Architecture
Avionic Instrument
Access Switch
Aircraft Backbone Switching Network
Backbone Switch
Access Switch
Avionic Instrument
aviation applications
aviation applications
aviation applications
task & comm. scheduling
communication stack modules
communication interface drivers
EthernetMAC
Full duplex switched network
Ethernet busconfiguration
Application layer
RTOS layer
Ethernet controller
Network
FAA/NASA Conference – July 2005 Page 13
Node level bound the latencies experienced by a data packet at
the end nodes regulate transmission traffic (bounded to a pre-
defined bursty model) schedulable and deterministic communication
operations handle network failure, packet loss, and bit error
Solutions for Deterministic Operations
Switch and network level Network configuration initialization and static routing traffic model
at each switch element Packet scheduling algorithm, analysis of delay and buffer
requirement for each switch Multicast support, traffic Replication (network and packet) for fault tolerance
FAA/NASA Conference – July 2005 Page 14
ARINC 664 - ADN
The ARINC 664 specification Aircraft Data Network (ADN) a multi-part ARINC Standard defining data networking standards
recommended for use in commercial aircraft installations. provides a means to adapt commercially defined networking standards
to an aircraft environment refers extensively to data networking standards developed by the
Internet community and the Institute of Electrical Engineers (IEEE). It also recognizes the ISO specified Open Systems Interconnect (OSI) standards.
Part 7 gives a sample implementation of a “Deterministic Network”. We will briefly discuss the salient features of this implementation.
FAA/NASA Conference – July 2005 Page 15
ADN – Deterministic Network
Also called AFDX – Avionics Full Duplex Switched Ethernet. It uses the TCP/IP protocol suite with UDP on top standard IP for data exchange.
Determinism is defined using the following parameters: Guaranteed bandwidth Maximum latency for data delivery Maximum delay jitter Defined probability of frame loss Maintenance of ordinal integrity Impersonation protection
FAA/NASA Conference – July 2005 Page 16
ADN – Deterministic Network
Uses the concept of a “virtual link” (VL) to define the determinism. The parameters discussed previously are defined per-VL.
Some of the mechanisms used to achieve this determinism are: Traffic shaping at end systems and traffic policing at switches Bandwidth allocation per VL Defined packet processing latency at the switch and end-
systems (e.g.: the stack processing latency on end-systems is bounded and lower than the 150us + frame delay)
Zero frame loss due to collisions and contention Packet sequencing for each VL Network redundancy
FAA/NASA Conference – July 2005 Page 17
FAA Databus Evaluation Criteria
FAA/NASA Conference – July 2005 Page 18
Databus Evaluation Criteria - Overview
Certification Authorities Software Team (CAST)
Position Paper CAST-16, “Databus Evaluation Criteria” Abstract - A number of new and existing databuses are being proposed
for use by aircraft manufacturers. This paper documents criteria that should be considered by databus manufacturers, aircraft applicants, and certification authorities when developing, selecting, integrating, or approving a databus technology in the context of an aircraft project.
Available on Aircraft Certification Service Software Website: http://av-info.faa.gov/software/ Released February 2003
CAST PAPER DISCLAIMER: “This document is provided for educational and informational purposes only and should be discussed with the appropriate certification authority when considering for actual projects. It does not constitute official policy or guidance from any of the authorities.”
FAA/NASA Conference – July 2005 Page 19
Databus Evaluation Criteria - Overview
Several areas to consider when evaluating a specific databus technology. CAST-16 identified eight major categories 3.1 Safety - 9 criteria 3.2 Data Integrity - 12 criteria 3.3 Performance - 10 criteria 3.4 Design/Development Assurance - 2 criteria 3.5 Electromagnetic Compatibility - 4 criteria 3.6 Verification and Validation - 9 criteria 3.7 System Configuration Management - 5 criteria 3.8 Continued Airworthiness - 1 criteria
Some categories and evaluation criteria overlap
Remember that a databus cannot be certified alone - it must be certified as part of a aircraft system or function.
FAA/NASA Conference – July 2005 Page 20
Databus Evaluation Criteria - Overview
Much of today’s “modern” databus technology is based upon commercial COTS products. This presents several issues that must be addressed Product licensing, royalties and data rights Availability of databus artifacts in support of design assurance
(hardware and software) Suitability of databus hardware and software for avionics environment Obsolescence support and continued airworthiness Databus security Others?
Keep these issues in mind as we discuss the eight categories identified by CAST-16
Addressing these issues requires coordination and cooperation between Databus Supplier, System Integrator, Aircraft Applicant and FAA.
FAA/NASA Conference – July 2005 Page 21
Evaluation of Generic Criteria
Regardless of the specific databus technology, the following “generic” categories must be evaluated
3.1 Safety - criteria 1 & 2 Aircraft and system-level safety assessments must include the
databus as part of the analysis System-level safety assessment must address databus architecture,
implementation, failure detection and reporting features 3.4 Design/Development Assurance - all criteria
Databus hardware is assessed to the appropriate design assurance level (per the safety assessment) - e.g., DO-254/ED-80
Databus software is assessed to the appropriate design assurance level (per the safety assessment) - e.g., DO-178B/ED-12B
FAA/NASA Conference – July 2005 Page 22
Evaluation of Generic Criteria
3.5 Electromagnetic Compatibility - all criteria More than just satisfying satisfy DO-160D/ED14-D Databus equipment and installation must also consider
Emissions dependent upon pulse rise-times, bus speed, topology Differential-mode signaling and transformer-coupled connections RF emissions and susceptibility Effects due to lightning and HIRF
3.6 Verification and Validation - all criteria Evaluation to appropriate standards, e.g.,
Environment per DO-160D/ED14-D Hardware per DO-254/ED-80 Software per DO-178B/ED-12B
Bus verification and validation as an integrated system, including Failure management and recovery scenarios Built-In Test capabilities Performance under degraded modes of operation
FAA/NASA Conference – July 2005 Page 23
Evaluation of Generic Criteria
3.7 System Configuration Management - all criteria Databus configuration control at the aircraft installation level, both from
fleet and individual aircraft perspectives Databus configuration control in all phases, from design through
production and maintenance Configuration of databus documentation, including industry standards,
interface control documents, designer’s guide, installation guide, etc. 3.8 Continued Airworthiness - all criteria
Databus performance over the lifetime of the aircraft must be considered including Physical degradation of components and wiring Issues due to in-service modifications and repairs Dealing with obsolesce and system upgrades Providing change impact analysis to determine aircraft impacts
FAA/NASA Conference – July 2005 Page 24
Evaluation of Project-Specific Criteria
Definition of an Ethernet Aviation Databus“…a Standard Ethernet (IEEE 802.3) based network with a set of solutions in software and hardware across the network to ensure deterministic data delivery between nodes residing on the network.”
High Level Requirements Abstraction Determinism, Fault Tolerance, Data Integrity, Performance,
System Interoperability, Scalability, Security
The following “project-specific” categories will be assessed as part of the Ethernet Aviation Databus Project 3.1 Safety - criteria 3..9 3.2 Data Integrity - all criteria 3.3 Performance - all criteria
FAA/NASA Conference – July 2005 Page 25
Evaluation of Project-Specific Criteria
Step 1: Define the application level requirement and traffic characteristics To obtain timing and reliability requirements at component level Traffic characteristics
source, destination, packet arrival process, volume network configuration and routing
Timing requirement deadline jitter
Reliability and safety requirement reliability and availability recovery mechanism redundence management
FAA/NASA Conference – July 2005 Page 26
Evaluation of Project-Specific Criteria
Step 2: Demonstrate how deterministic operations are achievable, including the set of issues that need to be addressed in any deterministic communication system, Network topology Traffic regulation Resource and bandwidth allocation Traffic scheduling Network stack processing Redundancy Network component design
FAA/NASA Conference – July 2005 Page 27
Evaluation of Project-Specific Criteria
Step 3: Analysis and verification -- How the application-level requirements are met Packet scheduling in the switches Packet and task scheduling in the end systems End-to-end delay Fault-tree analysis Reliability analysis Test scenarios and traffic patterns (average and worst cases) Fault injection and recovery operation Timing measurement
FAA/NASA Conference – July 2005 Page 28
Handbook Development
FAA/NASA Conference – July 2005 Page 29
Handbook Development
Integrate the research results in a handbook on
Certification and Design Considerations Idea of development
CAST-16 paper as the base Design and certification guidelines by providing elaborations on
what should be addressed less on how to do it
Acceptance criteria general (DO-178B, etc.) and application specific (for
databuses) System specification and requirement Design issues which have an impact on deterministic operations
FAA/NASA Conference – July 2005 Page 30
Handbook Development (cont’d)
Acceptance Criteria:What should be evaluated
for certification
Specification and Requirement for Ethernet Databus:
What should be achieved as an avionics equipment
Design Issues:What should be addresses In order to meet the spec.
System and Application: Requirement &
Traffic
FAA/NASA Conference – July 2005 Page 31
Certification Considerations
Goal: to demonstrate the achievement of safety, performance, and reliability
CAST-16 paper: categories and criteria General: applicable to all avionics products Application specific: applicable to Ethernet databus
Safety: determinism on data delivery (delays under failure-free and recovery modes)
Data Integrity: System level: node and link failures Message level: message loss or bit-error-rate
Performance: message bandwidth and latency System Configuration: communication entities, topology,
traffic management, and message routing
FAA/NASA Conference – July 2005 Page 32
Ethernet Databus Requirements
What Ethernet databus must do for the avionics systems?
Determinism – guaranteed message delivery with a bounded latency at system level, node and switch levels dependability what else should be guaranteed?
Requirements Traffic specification – models and parameters Resource availability – at each node and switch Quality of service – per application and connection Error/failure management and protection
FAA/NASA Conference – July 2005 Page 33
Design Issues (1)
What the inherent design problems that must be resolved for a certifiable Ethernet databus?
Issues with CSMA/CD protocol bus-based cyclic scheduling –
time-based and synchronized one transmitter at a time
switch-based message scheduling – full-duplex and one transmitter on each bus message routing and scheduling must lead to deterministic
behavior
FAA/NASA Conference – July 2005 Page 34
Design Issues (2)
Flow control – open-loop control (preferred) vs. close-loop flow specification – to describe traffic flows in the network
worst case and average traffic regulation –
shaping and policing schemes and mechanisms any effect of violation buffer requirement and message dropping
admission control can a connection be accepted or rejected
FAA/NASA Conference – July 2005 Page 35
Design Issues (3)
Deterministic Message Transmission in Switched Ethernet message arrival and departure processes switch architecture, scheduling disciplines, and message buffers guaranteed end-to-end QOS and message ordering
Data Integrity and Reliability lossless, fault isolation, and redundancy any detection and recovery at higher layers (e.g. application)
FAA/NASA Conference – July 2005 Page 36
Design Issues (4)
Network Stack Processing connection-oriented – state information, bandwidth allocation,
sequence and flow control address resolution – static and deterministic addressing scheme – unicast and multicast, MAC, and
connection
Non-determinism in Ethernet Interface Components interrupt, DMA, FIFO buffer management, context switching, etc. PCI-based components as an example
System Configuration
FAA/NASA Conference – July 2005 Page 37
Main Notions
Certification criteria about safety, performance, and data integrity
System requirements network requirements
Application model traffic model
Demonstration feasible approaches -- such as static routing, fixed addressing,
open-loop control, traffic model, connection-oriented, etc. provable algorithms (deterministic and bounded worst-case
behavior) evaluation of implementation (software and hardware at
component and system levels)
FAA/NASA Conference – July 2005 Page 38
Summary and Conclusions
FAA/NASA Conference – July 2005 Page 39
Summary and Conclusions
High speed databus for avionic system is in demand Use COTS technology for critical applications Deterministic
Certification for aviation databus “Do the right thing” and “Make the thing right” What are required by the applications What are needed in architecture and component designs What should be done to demonstrate the processes and the
results Difficult to come up check boxes, but need a
structured approach to address Requirement Design and implementation Analysis, testing, and verification
FAA/NASA Conference – July 2005 Page 40
Contact Information
www.asu.edu
www.honeywell.com
www.faa.gov
Yang-Hang Lee ([email protected])
Elliott Rachlin ([email protected])
Phil Scandura ([email protected])
Charles Kilgore ([email protected])
Software & Digital Systems Safety Research ProgramFAA William J. Hughes Technical CenterFlight Safety Research Branch, AAR-470Atlantic City, New Jersey
FAA/NASA Conference – July 2005 Page 41
Handbook Outline
1. Introduction: purpose, scope, organization, and focus for readers
2. Ethernet-based Aviation Databus System
2.1 A Brief Overview Of Ethernet
2.2 General Concerns of Ethernet as an Avionics Databus
3. Certification of Ethernet-based Avionics Databus
3.1 Background
3.2 Certification Considerations
3.3 Certification Position Paper
3.4 Generic Evaluation Criteria
3.5 Ethernet Databus Specific Evaluation Criteria
3.6 Use of COTS Products
FAA/NASA Conference – July 2005 Page 42
Handbook Outline (cont’d)
4. Avionics Application Requirements4.1 Determinism in Communication system4.2 Avionics Application Requirements
5. Issues To Be Addressed by Ethernet-based Databus Designers5.1 Issues with CSMA/CD Protocol5.2 Flow Control5.3 Deterministic Message Transmission in Switched Network5.4 Data Integrity and Reliability5.5 Network Stack Processing5.6 Non-determinism In Hardware Components On End System5.7 System Configuration
6. Conclusion